Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack
Markus Koschany
apo at gambaru.de
Mon Mar 26 04:15:35 UTC 2012
On 26.03.2012 00:51, Simon McVittie wrote:
> Markus, if you install devscripts and debian-keyring, you should be able
> to download the packages from Alioth with dget, and verify the
> signatures on them by running dscverify on the .changes file (they're
> signed with my GPG key, which is in the Debian keyring).
Hi Simon,
thank you for your quick response and your detailed report. Both are
much appreciated. I have downloaded the amd64 package with dget and have
compared the actual openarena server in squeeze with the patched version
by monitoring the network traffic with iftop.
Although my dedicated openarena server with 4 bots has been offline for
more than 24h, the attacks resumed immediately. Once again the traffic
was directed towards web servers. This time i saw nearly 2MB/s outgoing
traffic to one target.
After i had installed your patched version the traffic dropped to 8kb/s.
In my opinion the patch is a vast improvement and mitigates the attack
efficiently. But i can't explain why there is such a difference between
your numbers and my observation though.
However i would be happy if you could upload the patched version to the
official repositories.
Regards
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20120326/e3f596ef/attachment.pgp>
More information about the Pkg-games-devel
mailing list